creating_valid_startssl_certificates

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
creating_valid_startssl_certificates [31.12.2011 11:35] Pascal Sutercreating_valid_startssl_certificates [27.10.2016 17:31] (current) Pascal Suter
Line 1: Line 1:
-====== Creating Validated StartSSL Certificates ======+====== Creating Validated SSL Certificates ======
  
 this is just a bunch of steps i can't seem to remember each time i need a new certificate.. so i write it down in here :)  this is just a bunch of steps i can't seem to remember each time i need a new certificate.. so i write it down in here :) 
  
-first of all you need to create a user account at startssl.com and download and install the mime certificate from them that will authenticate you against their service+I used to use startssl.com as they are free. but eventually i got annoyed by having to renew my certificates every year and messing around with the client certificate needed to acecss their customer portal, so i changed over to gogetssl.com which sell ridiculously cheap (as in $4 per year) certificats which last 3 years and all you need to access the portal is an email address and password :) 
  
-now you need to run the validations vizard and validate your ownership of the domain you need certificate for+with most providers of simple domain verification certificates, you usually need to prove ownership of a domain by receiving an email at webmaster@domain or some other @domain email address THEY propose.
  
 ===== SSL Certificate ===== ===== SSL Certificate =====
Line 23: Line 23:
   cat > server.crt   cat > server.crt
 then paste the certificate and hit return and then ctrl+D  then paste the certificate and hit return and then ctrl+D 
 +
 +For StartSSL, download the [[http://www.startssl.com/certs/sub.class1.server.ca.pem|Certificate Chain File]] to your server. Other providers sometimes include a pem file or a bundle file in their downloads with the certificate itself and some others (like comodo) provide a set of crt files which need to be combined into a package for apache. for comodo you get three files and they need to be cat-ed togeterher into one bundle.crt: 
 +  cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> bundle.crt
 +
 +last but not least you need to make sure your apache ssl config is pointing to those files. make sure you have these lines in your virtual host configuration to enable and configure ssl for your site. of course you need to make sure the paths match your setup :)
 +<code>
 +        SSLEngine on
 +        SSLProtocol all -SSLv2
 +        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
 +        SSLCertificateFile    /etc/ssl/certs/server.crt
 +        SSLCertificateKeyFile /etc/ssl/certs/server.key
 +</code>
 +if you have a pem file add this line as well: 
 +  SSLCertificateChainFile /etc/ssl/certs/sub.class1.server.ca.pem
 +if you had to compile your package like shown above, you can use this line 
 +  SSLCACertificateFile "/ssl/bundle.crt"
 +
 +
 +now **reload apache**
 +
 +==== sec_error_ocsp_unknown_cert ====
 +shortly after updating (orp probalby also creating) a certificate with startssl firefox might not allow you to access the site, returning an error sec_error_ocsp_unknown_cert. this is because apparently startssl's ocsp server needs to reload its cached entries first in order for the new certificates to be usable through firefox. so just allow it some time to catch up and it should all work. 
 +
  
  • creating_valid_startssl_certificates.1325327755.txt.gz
  • Last modified: 31.12.2011 11:35
  • by Pascal Suter